A server likely used by Lazarus Group offers clues to a broader espionage campaign

An analysis of a suspected Lazarus C2 server hows it was the centerpiece of a espionage campaign that is broader and longer-running than previously understood.
lazarus group
North Korean flags blow outside an apartment building. Lazarus Group, a broad set of suspected North Korean hackers, is behind Operation Sharpshooter, according to McAfee. (Flickr user <a href="">(stephan)</a>)

An analysis of a command-and-control server suspected of being used by North Korean hackers shows it was the centerpiece of a previously discovered global espionage campaign that is broader and longer-running than initially understood, security researchers with McAfee announced Sunday.

The campaign began as early as September 2017, a year earlier than previously documented, and is targeting financial services and government organizations, among others, researchers said. Most of the malicious activity is against organizations in Germany, Turkey, the U.S., and the United Kingdom, the researchers said.

In December, McAfee published research on the espionage campaign, dubbed Operation Sharpshooter, saying it hit 87 organizations – including those in the nuclear, defense, and financial sectors – in October and November alone.

After picking apart code and other data from the server, McAfee researchers say they’ve found “striking similarities” between last year’s attacks and several others attributed to Lazarus Group, a broad set of suspected North Korean hackers. They also describe a “factory-like process” used by Lazarus where components of a malicious implant have been developed independently and employed in various settings since 2016.


The hackers appear to have tested their malicious implants using far-flung infrastructure. Researchers found a set of IP addresses accessing the server that originated from the African nation of Namibia. “We saw the actor was using the infrastructure to test small runs of sending out the implants, not as the larger bursts we observed during” the espionage campaign, Christiaan Beek, McAfee’s lead scientist, told CyberScoop.

An unnamed government organization gave McAfee access to the server likely used by Lazarus, which U.S. officials have blamed for the destructive attack on Sony Pictures in 2014 and for the WannaCry ransomware outbreak in 2017.

While North Korean hackers are well-known for those highly-visible hacks, they have also been linked to espionage activities – both for economic gain and traditional intelligence collection. For example, they have allegedly used a Google Chrome extension to spy on academics.  As North Korea feels the bite of international sanctions, some analysts expect the government’s hackers to ramp up commercial espionage this year.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts